Re: How to group by a field and display multiple f...

andytangjpmc · ‎09-24-2019

I have trace, level, and message fields in my events. I want to group by trace, and I also want to display all other fields. I'm having issues with multiple fields lining up when they have different amount of lines.

Here's what I want:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        |       | Line2    |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        | DEBUG | Message3 |
+--------+-------+----------+

But I end up with results like this:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        +-------+ Line2    |
|        | DEBUG |          |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        |       | Message3 |
+--------+-------+----------+

Here's my search query:

| stats list(level), list(message) by trace

somesoni2 · ‎09-24-2019

Multiple level grouping (similar to merging columns in Excel) is not supported natively. For your requirement, try something like this:

..| stats list(message) by trace level

OR

...| eval Level_message=level."  ##  ".message | stats list(Level_message) by trace

How to group by a field and display multiple fields

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor